Sawubona ozakwethu! Namuhla ngithanda ukuxoxa ngesihloko esibaluleke kakhulu kubaphathi abaningi be-Check Point: "Ukulungiselela i-CPU ne-RAM." Kuvame ukuba nezimo lapho isango kanye/noma iseva yokuphatha zisebenzisa ngokungalindelekile eziningi zalezi zinsiza, futhi ngingathanda ukuqonda ukuthi βzigelezaβ kuphi futhi, uma kungenzeka, zisebenzise ngokuhlakanipha okwengeziwe.
1. Ukuhlaziya
Ukuhlaziya umthwalo weprosesa, kuyasiza ukusebenzisa imiyalo elandelayo, efakwe kwimodi yochwepheshe:
top ikhombisa zonke izinqubo, inani lezinsiza ze-CPU ne-RAM ezidliwe njengephesenti, isikhathi sokuphumula, ukubaluleka kwenqubo kanye ngesikhathi sangempelaΠΈ
cpwd_admin list Hlola i-Point WatchDog Daemon, ebonisa wonke amamojula ohlelo lokusebenza, i-PID yawo, isimo kanye nenombolo yokuqala
cpstat -f cpu os Ukusetshenziswa kwe-CPU, inombolo yabo kanye nokusabalalisa kwesikhathi sokucubungula njengephesenti
cpstat -f inkumbulo os ukusetshenziswa okubonakalayo kwe-RAM, ingakanani esebenzayo, i-RAM yamahhala nokuningi
Ukuphawula okulungile ukuthi yonke imiyalo ye-cpstat ingabukwa kusetshenziswa insiza cpview. Ukuze wenze lokhu, udinga nje ukufaka umyalo we-cpview kunoma iyiphi imodi kuseshini ye-SSH.
ps awuf uhlu olude lwazo zonke izinqubo, i-ID yabo, inkumbulo ebonakalayo nenkumbulo ku-RAM, CPU
Okunye ukuhluka komyalo:
ps-aF izokhombisa inqubo ebiza kakhulu
fw ctl ukuhambisana -l -a ukusatshalaliswa kwama-cores ezimweni ezihlukene ze-firewall, okungukuthi, ubuchwepheshe be-CoreXL
fw ctl pstat Ukuhlaziywa kwe-RAM nezinkomba ezijwayelekile zokuxhuma, amakhukhi, i-NAT
mahhala -m Ibhafa ye-RAM
Iqembu lifanelwe ukunakwa okukhethekile netsat nokuhluka kwayo. Ngokwesibonelo, netstat -i kungasiza ukuxazulula inkinga yokuqapha amabhodi wokunamathisela. Ipharamitha, i-RX yehla amaphakethe (i-RX-DRP) ekuphumeni kwalo myalo, njengomthetho, ikhula yodwa ngenxa yamaconsi ezivumelwano ezingekho emthethweni (IPv6, Amathegi e-VLAN Angalungile / Angahlosiwe nabanye). Nokho, uma amaconsi kwenzeka ngesinye isizathu, kufanele usebenzise lokhu ukuqala ukuphenya nokuqonda ukuthi kungani inethiwekhi enikeziwe ilahla amaphakethe. Ngemva kokuthola isizathu, ukusebenza kohlelo lokusebenza kungathuthukiswa.
Uma i-Monitoring blade inikwe amandla, ungakwazi ukubuka lawa mamethrikhi ngezithombe ku-SmartConsole ngokuchofoza entweni bese ukhetha "Ulwazi Lwedivayisi Nelayisensi."
Akunconywa ukuthi uvule i-Monitoring blade unomphela, kodwa ngosuku lokuhlolwa kungenzeka.
Ngaphezu kwalokho, ungakwazi ukwengeza imingcele eyengeziwe yokuqapha, enye yazo iwusizo kakhulu - I-Bytes Throughput (i-application throughput).
Uma kukhona olunye uhlelo lokuqapha, isibonelo, mahhala , ngokusekelwe ku-SNMP, ifanele futhi ukuhlonza lezi zinkinga.
2. I-RAM ivuza ngokuhamba kwesikhathi
Umbuzo uvame ukuvela ukuthi ngokuhamba kwesikhathi, isango noma iseva yokuphatha iqala ukusebenzisa i-RAM eyengeziwe. Ngifuna ukukuqinisekisa: lena indaba evamile yamasistimu afana ne-Linux.
Ukubheka okukhipha imiyalo mahhala -m ΠΈ cpstat -f inkumbulo os kuhlelo lokusebenza kusuka kumodi yochwepheshe, ungakwazi ukubala futhi ubuke yonke imingcele ehlobene ne-RAM.
Ngokusekelwe kumemori etholakalayo esangweni okwamanje Imemori yamahhala + Buffers Memory + Inkumbulo Yenqolobane = +-1.5 GB, ngokuvamile.
Njengoba i-CP isho, ngokuhamba kwesikhathi isango/iseva yokuphatha ikhulisa futhi isebenzisa inkumbulo eyengeziwe, ifinyelela cishe ku-80% ukusetshenziswa, futhi iyama. Ungaqalisa kabusha idivayisi, bese inkomba izosethwa kabusha. U-1.5 GB we-RAM yamahhala wanele ncamashi ukuze isango lenze yonke imisebenzi, futhi abaphathi abavamile ukufinyelela amanani anjalo.
Futhi, imiphumela yemiyalelo eshiwo izobonisa ukuthi ungakanani Imemori ephansi (RAM esikhaleni somsebenzisi) kanye Inkumbulo ephezulu (I-RAM esikhaleni se-kernel) isetshenzisiwe.
Izinqubo ze-Kernel (kuhlanganise namamojula asebenzayo njengamamojula we-Check Point kernel) zisebenzisa imemori ephansi kuphela. Nokho, izinqubo zomsebenzisi zingasebenzisa kokubili inkumbulo Ephansi Nephezulu. Ngaphezu kwalokho, inkumbulo ephansi icishe ilingane ne Ingqikithi Yememori.
Kufanele ukhathazeke kuphela uma kukhona amaphutha kulogi "Amamojula aqalisa kabusha noma acutshungulwe ukuze kubuyiselwe inkumbulo ngenxa ye-OOM (Iphelelwe yinkumbulo)". Khona-ke kufanele uqalise kabusha isango futhi uxhumane nosekelo uma ukuqalisa kabusha kungasizi.
Incazelo egcwele ingatholakala kokuthi ΠΈ .
3. Ukwenza ngcono
Ngezansi kukhona imibuzo nezimpendulo ekulungiseleleni i-CPU ne-RAM. Kufanele uziphendule ngokwethembeka kuwena futhi ulalele izincomo.
3.1. Ingabe uhlelo lokusebenza lukhethwe ngendlela efanele? Ingabe bekukhona iphrojekthi yokuhlola?
Naphezu kokulinganisa okufanele, inethiwekhi ingamane ikhule, futhi le mishini ayikwazi ukubhekana nomthwalo. Inketho yesibili iwukuthi uma bekungekho ukulinganisa okunjalo.
3.2. Ingabe ukuhlolwa kwe-HTTPS kunikwe amandla? Uma uthi yebo, ingabe ubuchwepheshe bumisiwe ngokwe-Best Practice?
Bukela ku , uma uyiklayenti lethu, noma .
Ukuhleleka kwemithetho kunqubomgomo yokuhlola ye-HTTPS idlala indima enkulu ekuthuthukiseni ukuvulwa kwamasayithi e-HTTPS.
I-oda elinconyiwe lemithetho:
- Imithetho ye-Bypass enezigaba/ama-URL
- Hlola imithetho ngezigaba/ama-URL
- Hlola imithetho yazo zonke ezinye izigaba
Ngokufanisa nenqubomgomo ye-firewall, i-Check Point isesha okufanayo ngamaphakethe ukusuka phezulu kuye phansi, ngakho-ke kungcono ukubeka imithetho yokudlula phezulu, ngoba isango ngeke lichithe izinsiza ekusebenzeni kuyo yonke imithetho uma leli phakethe lidinga. ezophasiswa.
3.3 Ingabe kusetshenziswa izinto zohlu lwamakheli?
Izinto ezinobubanzi bekheli, isibonelo, inethiwekhi 192.168.0.0-192.168.5.0, ithatha ngokuphawulekayo i-RAM engaphezu kwezinto ezi-5 zenethiwekhi. Ngokuvamile, kuthathwa njengomkhuba omuhle ukususa izinto ezingasetshenzisiwe ku-SmartConsole, kusukela ngaso sonke isikhathi lapho kufakwa inqubomgomo, i-gateway neseva yokuphatha zisebenzisa izinsiza futhi, okubaluleke kakhulu, isikhathi, ukuqinisekisa nokusebenzisa inqubomgomo.
3.4. Ilungiswa kanjani inqubomgomo Yokuvimbela Usongo?
Okokuqala nje, i-Check Point incoma ukubeka i-IPS kuphrofayela ehlukile nokudala imithetho ehlukene yale blade.
Isibonelo, umlawuli ukholelwa ukuthi ingxenye ye-DMZ kufanele ivikelwe kuphela kusetshenziswa i-IPS. Ngakho-ke, ukuvimbela isango ekumosheni izinsiza ekucubunguleni amaphakethe ngamanye ama-blade, kuyadingeka ukudala umthetho oqondile wale ngxenye ngephrofayili lapho i-IPS kuphela inikwe amandla.
Mayelana nokusetha amaphrofayili, kuyanconywa ukuthi ukusethe ngezinqubo ezihamba phambili kulokhu (amakhasi 17-20).
3.5. Kuzilungiselelo ze-IPS, mangaki amasiginesha akhona kumodi ye-Detect?
Kunconywa ukutadisha ngokucophelela amasiginesha ngomqondo wokuthi angasetshenzisiwe kufanele akhutshazwe (isibonelo, amasiginesha okusebenza kwemikhiqizo ye-Adobe adinga amandla amaningi okwenza ikhompuyutha, futhi uma ikhasimende lingenayo imikhiqizo enjalo, kunengqondo ukukhubaza amasiginesha). Okulandelayo, faka okuthi Vimbela esikhundleni se-Detect lapho kungenzeka khona, ngoba isango lichitha izinsiza ekucubunguleni konke ukuxhumana kumodi ye-Detect; kumodi yokuvimbela, ilahla ngokushesha ukuxhumana futhi ayimoshi izinsiza ekucubunguleni iphakethe ngokugcwele.
3.6. Imaphi amafayela acutshungulwa Ukulingiswa Kosongo, Ukukhishwa Kosongo, ama-Anti-Virus blades?
Akunangqondo ukulingisa nokuhlaziya amafayela ezandiso abasebenzisi bakho abangawalandi, noma ucabanga ukuthi akudingekile kunethiwekhi yakho (isibonelo, i-bat, amafayela e-exe angavinjelwa kalula kusetshenziswa i-Content Awareness blade ezingeni lokuvikela, ngakho-ke isango elincane izinsiza zizosetshenziswa). Ngaphezu kwalokho, kuzilungiselelo ze-Treat Emulation ungakhetha Imvelo (uhlelo olusebenzayo) ukulingisa izinsongo kubhokisi lesihlabathi nokufaka Imvelo Windows 7 lapho bonke abasebenzisi besebenza ngenguqulo ye-10 nawo akwenzi mqondo.
3.7. Ingabe imithetho ye-firewall kanye neleveli yohlelo lokusebenza ihlelwa ngokuhambisana nokusebenza okungcono kakhulu?
Uma umthetho unama-hits amaningi (okufanayo), ngakho-ke kunconywa ukuwabeka phezulu kakhulu, futhi imithetho enenani elincane lokushaya - phansi kakhulu. Okubalulekile wukuqinisekisa ukuthi aziphambanisi noma azigqagqani. Ukwakhiwa kwenqubomgomo yokuvikela okunconyiwe:
Izincazelo:
Imithetho Yokuqala - imithetho enenani elikhulu lokufanayo ibekwe lapha
Umthetho Womsindo - umthetho wokulahla ithrafikhi engamanga njenge-NetBIOS
I-Stealth Rule - ivimbela izingcingo eziya kumasango nabaphathi kubo bonke ngaphandle kwaleyo mithombo eshiwo Ekuqinisekiseni Imithetho Yesango.
Imithetho Yokuhlanza, Yokugcina kanye Neyokuwisa ngokuvamile ihlanganiswa ibe umthetho owodwa ukuze kwenqabele yonke into ebingavunyelwe ngaphambilini.
Idatha yokwenza okuhle kakhulu ichazwe ku .
3.8. Yiziphi izilungiselelo amasevisi adalwe abalawuli anazo?
Isibonelo, enye isevisi ye-TCP idalwe embotsheni ethile, futhi kunengqondo ukungamaka okuthi "Fanisa Noma yikuphi" kuzilungiselelo ezithuthukisiwe zesevisi. Kulokhu, le sevisi izowela ngokuqondile ngaphansi komthetho evela kuwo, futhi ngeke ibambe iqhaza emithethweni lapho Noma iyiphi ifakwe ohlwini lwekholomu Yezinkonzo.
Ekhuluma ngamasevisi, kufanelekile ukusho ukuthi ngezinye izikhathi kuyadingeka ukulungisa isikhathi sokuvala. Lesi silungiselelo sizokuvumela ukuthi usebenzise izinsiza zesango ngokuhlakanipha, ukuze ungabambi isikhathi esengeziwe seseshini ye-TCP/UDP yamaphrothokholi angadingi isikhathi esikhulu sokuvala. Isibonelo, kusithombe-skrini esingezansi, ngishintshe isikhathi sokuvala sesevisi yesizinda-udp sisuka kumasekhondi angama-40 saya kumasekhondi angama-30.
3.9. Ingabe i-SecureXL isetshenzisiwe futhi liyini iphesenti lokusheshisa?
Ungahlola ikhwalithi ye-SecureXL usebenzisa imiyalo eyisisekelo kwimodi yochwepheshe esangweni izibalo ze-fwaccel ΠΈ fw accel izibalo -s. Okulandelayo, udinga ukuthola ukuthi hlobo luni lwethrafikhi olusheshiswayo, nokuthi yiziphi ezinye izifanekiso ezingadalwa.
Ama-Drop Templates awanikwa amandla ngokuzenzakalela; ukuwanika amandla kuzozuzisa i-SecureXL. Ukuze wenze lokhu, iya kuzilungiselelo zesango kanye nethebhu ethi Optimizations:
Futhi, lapho usebenza neqoqo ukuze uthuthukise i-CPU, ungakhubaza ukuvumelanisa kwezinsizakalo ezingabalulekile, njenge-UDP DNS, ICMP nezinye. Ukwenza lokhu, iya kuzilungiselelo zesevisi β Okuthuthukisiwe β Vumelanisa ukuxhumana Kokuvumelanisa Kwesifunda kunikwe amandla kuqoqo.
Zonke Izenzo Ezinhle Kakhulu zichazwe ku .
3.10. I-CoreXl isetshenziswa kanjani?
Ubuchwepheshe be-CoreXL, obuvumela ukusetshenziswa kwama-CPU amaningi ezenzakalweni zohlelo lokuvikela (amamojula we-firewall), ngokuqinisekile kusiza ukukhulisa ukusebenza kwedivayisi. Ithimba kuqala fw ctl ukuhambisana -l -a izobonisa izimo ze-firewall ezisetshenzisiwe kanye namaphrosesa anikezwe i-SND (imojula esabalalisa ithrafikhi kumabhizinisi okuvikela umlilo). Uma kungewona wonke amaphrosesa asetshenziswayo, angangezwa ngomyalo cpconfig esangweni.
Futhi indaba enhle ukubeka ukuze unike amandla i-Multi-Queue. I-Multi-Queue ixazulula inkinga lapho iphrosesa ene-SND isetshenziswa ngamaphesenti amaningi, futhi izimo ze-firewall kwamanye amaphrosesa azisebenzi. Khona-ke i-SND izoba nekhono lokudala olayini abaningi be-NIC eyodwa futhi ibeke izinto ezibalulekile ezibalulekile zethrafikhi ehlukahlukene ezingeni le-kernel. Ngakho-ke, ama-CPU cores azosetshenziswa ngobuhlakani kakhulu. Izindlela nazo zichazwe ku .
Sengiphetha, ngithanda ukusho ukuthi lezi akuzona zonke Izindlela Ezinhle Kakhulu zokuthuthukisa i-Check Point, kodwa zidume kakhulu. Uma ungathanda uku-oda ukuhlolwa kwenqubomgomo yakho yezokuphepha noma uxazulule inkinga ehlobene ne-Check Point, sicela uxhumane [i-imeyili ivikelwe].
Π‘ΠΏΠ°ΡΠΈΠ±ΠΎ Π·Π° Π²Π½ΠΈΠΌΠ°Π½ΠΈΠ΅!
Source: www.habr.com